Deployment Architecture

Can I find where an event is located in splunk ?

Communicator

I am trying to localize where my events are located.
- in which indexer
- in which index
- in which bucket

Can I use a search to do that ?

Tags (2)
1 Solution

Splunk Employee
Splunk Employee

There are internal fields that can tell you that:

  • _bkt -> the bucket, You will have to cast them into a readable field.
  • index -> the index
  • splunk_server -> the indexer
  • PS : there is a _cd field that contains an event id per bucket.

< myevent > | eval cd=cd | eval bkt= _bkt | table cd bkt index splunkserver _time source host sourcetype _raw

View solution in original post

Splunk Employee
Splunk Employee

There are internal fields that can tell you that:

  • _bkt -> the bucket, You will have to cast them into a readable field.
  • index -> the index
  • splunk_server -> the indexer
  • PS : there is a _cd field that contains an event id per bucket.

< myevent > | eval cd=cd | eval bkt= _bkt | table cd bkt index splunkserver _time source host sourcetype _raw

View solution in original post